From d10ad8444f29658d56eb7650a3781bc6cebe2620 Mon Sep 17 00:00:00 2001 From: Dov Murik Date: Thu, 1 Jul 2021 12:20:40 +0000 Subject: [PATCH] OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a call to VerifyBlob after fetching to allow BlobVerifierLib implementations to add a verification step for these blobs. This will allow confidential computing OVMF builds to add verification mechanisms for these blobs that originate from an untrusted source (QEMU). The null implementation of BlobVerifierLib does nothing in VerifyBlob, and therefore no functional change is expected. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 Co-developed-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh Reviewed-by: Tom Lendacky Reviewed-by: Jiewen Yao --- OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c index c7ddd86f5c..6832d563bc 100644 --- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -1039,6 +1040,14 @@ QemuKernelLoaderFsDxeEntrypoint ( if (EFI_ERROR (Status)) { goto FreeBlobs; } + Status = VerifyBlob ( + CurrentBlob->Name, + CurrentBlob->Data, + CurrentBlob->Size + ); + if (EFI_ERROR (Status)) { + goto FreeBlobs; + } mTotalBlobBytes += CurrentBlob->Size; } KernelBlob = &mKernelBlob[KernelBlobTypeKernel];